[svn r21106] logic changes - improvements security in document tool - (partial FS#3909)

16 years ago · e52e052704
parent 0e4227493e
commit e52e052704
11 changed files with 102 additions and 106 deletions
--- a/main/document/create_document.php
+++ b/main/document/create_document.php
@ -1,4 +1,4 @@
-<?php // $Id: create_document.php 20794 2009-05-18 18:00:36Z iflorespaz $
+<?php // $Id: create_document.php 21106 2009-05-30 16:25:16Z iflorespaz $
 /*
 ==============================================================================
@ -186,11 +186,11 @@ function InnerDialogLoaded()
 </script>';
-include (api_get_path(LIBRARY_PATH).'fileUpload.lib.php');
+require_once api_get_path(LIBRARY_PATH).'fileUpload.lib.php';
-include (api_get_path(LIBRARY_PATH).'document.lib.php');
+require_once api_get_path(LIBRARY_PATH).'document.lib.php';
-include (api_get_path(LIBRARY_PATH).'groupmanager.lib.php');
+require_once api_get_path(LIBRARY_PATH).'groupmanager.lib.php';
-include (api_get_path(LIBRARY_PATH).'events.lib.inc.php');
+require_once api_get_path(LIBRARY_PATH).'events.lib.inc.php';
-include (api_get_path(LIBRARY_PATH).'formvalidator/FormValidator.class.php');
+require_once api_get_path(LIBRARY_PATH).'formvalidator/FormValidator.class.php';
 $nameTools = get_lang('CreateDocument');
 $fck_attribute['Width'] = '100%';
@ -210,7 +210,7 @@ if(!api_is_allowed_to_edit()) {
 	Constants and variables
 -----------------------------------------------------------
 */
-$dir = isset($_GET['dir']) ? $_GET['dir'] : $_POST['dir']; // please do not modify this dirname formatting
+$dir = isset($_GET['dir']) ? Security::remove_XSS($_GET['dir']) : Security::remove_XSS($_POST['dir']); // please do not modify this dirname formatting
 /*
 ==============================================================================
 		MAIN CODE
--- a/main/document/document.inc.php
+++ b/main/document/document.inc.php
@ -1,4 +1,4 @@
-<?php // $Id: document.inc.php 20798 2009-05-18 18:13:25Z cvargas1 $
+<?php // $Id: document.inc.php 21106 2009-05-30 16:25:16Z iflorespaz $
 /*
 ==============================================================================
@ -310,19 +310,19 @@ function build_edit_icons($curdirpath,$type,$path,$visibility,$id,$is_template,$
 	$sort_params = array();
 	if( isset($_GET['column']))
 	{
-		$sort_params[] = 'column='.$_GET['column'];
+		$sort_params[] = 'column='.Security::remove_XSS($_GET['column']);
 	}
 	if( isset($_GET['page_nr']))
 	{
-		$sort_params[] = 'page_nr='.$_GET['page_nr'];
+		$sort_params[] = 'page_nr='.Security::remove_XSS($_GET['page_nr']);
 	}
 	if( isset($_GET['per_page']))
 	{
-		$sort_params[] = 'per_page='.$_GET['per_page'];
+		$sort_params[] = 'per_page='.Security::remove_XSS($_GET['per_page']);
 	}
 	if( isset($_GET['direction']))
 	{
-		$sort_params[] = 'direction='.$_GET['direction'];
+		$sort_params[] = 'direction='.Security::remove_XSS($_GET['direction']);
 	}	
 	$sort_params = implode('&amp;',$sort_params);
 	$visibility_icon = ($visibility==0)?'invisible':'visible';
--- a/main/document/document.php
+++ b/main/document/document.php
@ -1,4 +1,4 @@
-<?php // $Id: document.php 20789 2009-05-18 16:54:06Z cfasanando $
+<?php // $Id: document.php 21106 2009-05-30 16:25:16Z iflorespaz $
 /*
 ==============================================================================
 	Dokeos - elearning and course management software
@ -66,19 +66,19 @@
 $language_file[] = 'document';
 $language_file[] = 'slideshow';
-require("../inc/global.inc.php");
+require_once "../inc/global.inc.php";
 $this_section=SECTION_COURSES;
-require('document.inc.php');
+require_once 'document.inc.php';
-require('../inc/lib/usermanager.lib.php');
+require_once '../inc/lib/usermanager.lib.php';
 api_protect_course_script(true);
 //session
 if(isset($_GET['id_session']))
-	$_SESSION['id_session'] = $_GET['id_session'];
+	$_SESSION['id_session'] = Security::remove_XSS($_GET['id_session']);
 // Is the document tool visible?
 // Check whether the tool is actually visible
@ -112,16 +112,11 @@ function confirmation (name)
 //what's the current path?
 //we will verify this a bit further down
-if(isset($_GET['curdirpath']) && $_GET['curdirpath']!='')
+if(isset($_GET['curdirpath']) && $_GET['curdirpath']!='') {
-{
+	$curdirpath = Security::remove_XSS($_GET['curdirpath']);
-	$curdirpath = $_GET['curdirpath'];
+} elseif (isset($_POST['curdirpath']) && $_POST['curdirpath']!='') {
-}
+	$curdirpath = Security::remove_XSS($_POST['curdirpath']);
-elseif (isset($_POST['curdirpath']) && $_POST['curdirpath']!='')
+} else {
 {
 	$curdirpath = $_POST['curdirpath'];
 }
 else
 {
 	$curdirpath = '/';
 }
 $curdirpathurl = urlencode($curdirpath);
@ -194,11 +189,11 @@ else
 //the main_api.lib.php, database.lib.php and display.lib.php
 //libraries are included by default
-include_once(api_get_path(LIBRARY_PATH) . 'fileDisplay.lib.php');
+require_once api_get_path(LIBRARY_PATH) . 'fileDisplay.lib.php';
-include_once(api_get_path(LIBRARY_PATH) . 'events.lib.inc.php');
+require_once api_get_path(LIBRARY_PATH) . 'events.lib.inc.php';
-include_once(api_get_path(LIBRARY_PATH) . 'document.lib.php');
+require_once api_get_path(LIBRARY_PATH) . 'document.lib.php';
-include_once(api_get_path(LIBRARY_PATH) . 'tablesort.lib.php');
+require_once api_get_path(LIBRARY_PATH) . 'tablesort.lib.php';
-include_once(api_get_path(LIBRARY_PATH) . 'fileUpload.lib.php');
+require_once api_get_path(LIBRARY_PATH) . 'fileUpload.lib.php';
 //-----------------------------------------------------------
@ -239,8 +234,9 @@ $course_quota = DocumentManager::get_course_quota();
 //-------------------------------------------------------------------//
 if (isset($_GET['action']) && $_GET['action']=="download")
 {
 	$my_get_id=Security::remove_XSS($_GET['id']);
 	//check if the document is in the database
-	if(!DocumentManager::get_document_id($_course,$_GET['id']))
+	if(!DocumentManager::get_document_id($_course,$my_get_id))
 	{
 		//file not found!
 		header('HTTP/1.0 404 Not Found');
@ -256,15 +252,15 @@ if (isset($_GET['action']) && $_GET['action']=="download")
 		exit;
 	}  
 	// launch event
-	event_download($_GET['id']);
+	event_download($my_get_id);
    // check visibility of document and paths
    if (!($is_allowed_to_edit || $group_member_with_upload_rights) &&
-        !DocumentManager::is_visible($_GET['id'], $_course)){        
+        !DocumentManager::is_visible($my_get_id, $_course)){        
        api_not_allowed();
    }
-    $doc_url=$_GET['id'];
+    $doc_url=$my_get_id;
 	$full_file_name = $base_work_dir.$doc_url;
 	DocumentManager::file_send_for_download($full_file_name,true);
 	exit;
@ -368,22 +364,22 @@ if($is_allowed_to_edit || $group_member_with_upload_rights) // TEACHER ONLY
 	/*======================================
 				MOVE FILE OR DIRECTORY
 	  ======================================*/
-
+	$my_get_move=Security::remove_XSS($_GET['move']); 
 	if (isset($_GET['move']) && $_GET['move']!='')
 	{	
 		if (!$is_allowed_to_edit)
 		{
-			if(DocumentManager::check_readonly($_course,$_user['user_id'],$_GET['move']))
+			if(DocumentManager::check_readonly($_course,$_user['user_id'],$my_get_move))
 			{
 				api_not_allowed();	 
 			}
 		}
-		if(DocumentManager::get_document_id($_course,$_GET['move']))
+		if(DocumentManager::get_document_id($_course,$my_get_move))
 		{
 			$folders = DocumentManager::get_all_document_folders($_course,$to_group_id,$is_allowed_to_edit || $group_member_with_upload_rights);
 			echo '<div class="row"><div class="form_header">'.get_lang('Move').'</div></div>';
-			echo build_move_to_selector($folders,$_GET['curdirpath'],$_GET['move'],$group_properties['directory']);
+			echo build_move_to_selector($folders,Security::remove_XSS($_GET['curdirpath']),$my_get_move,$group_properties['directory']);
 		}
@ -393,7 +389,7 @@ if($is_allowed_to_edit || $group_member_with_upload_rights) // TEACHER ONLY
 	{
 		if (!$is_allowed_to_edit)
 		{
-			if(DocumentManager::check_readonly($_course,$_user['user_id'],$_GET['move']))
+			if(DocumentManager::check_readonly($_course,$_user['user_id'],$my_get_move))
 			{
 				api_not_allowed();	
 			}
--- a/main/document/document_slideshow.inc.php
+++ b/main/document/document_slideshow.inc.php
@ -1,4 +1,4 @@
-<?php // $Id: document_slideshow.inc.php 16755 2008-11-15 19:50:44Z yannoo $
+<?php // $Id: document_slideshow.inc.php 21106 2009-05-30 16:25:16Z iflorespaz $
 /*
 ==============================================================================
 	Dokeos - elearning and course management software
@ -89,14 +89,14 @@ if ( count($all_files) > 0 )
 	}
 }
-$tablename_column = (isset($_GET['tablename_column'])?$_GET['tablename_column']:0);
+$tablename_column = (isset($_GET['tablename_column'])? Security::remove_XSS($_GET['tablename_column']):0);
 if($tablename_column==0){
 	$tablename_column=1;
 }
 else{
 	$tablename_column= intval($tablename_column)-1;
 }
-$tablename_direction = (isset($_GET['tablename_direction'])?$_GET['tablename_direction']:'ASC');
+$tablename_direction = (isset($_GET['tablename_direction'])? Security::remove_XSS($_GET['tablename_direction']):'ASC');
 $image_files_only = sort_files($array_to_search);
 $_SESSION["image_files_only"] = $image_files_only;
--- a/main/document/download.php
+++ b/main/document/download.php
@ -1,4 +1,4 @@
-<?php // $Id: download.php 20388 2009-05-07 12:38:12Z spyroux $
+<?php // $Id: download.php 21106 2009-05-30 16:25:16Z iflorespaz $
 /*
 ==============================================================================
 	Dokeos - elearning and course management software
@ -50,10 +50,10 @@
 session_cache_limiter('none');
-include('../inc/global.inc.php');
+require_once '../inc/global.inc.php';
 $this_section=SECTION_COURSES;
-include(api_get_path(LIBRARY_PATH).'document.lib.php');
+require_once api_get_path(LIBRARY_PATH).'document.lib.php';
 $doc_url = $_GET['doc_url'];
 //change the '&' that got rewritten to '///' by mod_rewrite back to '&'
@ -95,9 +95,9 @@ if (substr($refer_script,0,15) == "/fillsurvey.php") {
 		//mod_rewrite can change /some/path/ to /some/path// in some cases, so clean them all off (Ren<EFBFBD>)
 		while ($doc_url{$dul = strlen($doc_url)-1}=='/') $doc_url = substr($doc_url,0,$dul);
 		//group folder?
-		$gid_req = ($_GET['gidReq'])?'&gidReq='.$_GET['gidReq']:'';
+		$gid_req = ($_GET['gidReq'])?'&gidReq='.Security::remove_XSS($_GET['gidReq']):'';
 		//create the path
-		$document_explorer = api_get_path(WEB_CODE_PATH).'document/document.php?curdirpath='.urlencode($doc_url).'&cidReq='.$_GET['cidReq'].$gid_req;
+		$document_explorer = api_get_path(WEB_CODE_PATH).'document/document.php?curdirpath='.urlencode($doc_url).'&cidReq='.Security::remove_XSS($_GET['cidReq']).$gid_req;
 		//redirect
 		header('Location: '.$document_explorer);
 	}
--- a/main/document/edit_document.php
+++ b/main/document/edit_document.php
@ -1,4 +1,4 @@
-<?php // $Id: edit_document.php 20794 2009-05-18 18:00:36Z iflorespaz $
+<?php // $Id: edit_document.php 21106 2009-05-30 16:25:16Z iflorespaz $
 /*
 ==============================================================================
 	Dokeos - elearning and course management software
@ -57,7 +57,7 @@ $language_file = 'document';
 	Included libraries
 ------------------------------------------------------------------------------
 */
-include('../inc/global.inc.php');
+require_once '../inc/global.inc.php';
 // Template's javascript
 $htmlHeadXtra[] = '
@ -110,13 +110,13 @@ function FCKeditor_OnComplete( editorInstance )
 $_SESSION['whereami'] = 'document/create';
 $this_section=SECTION_COURSES;
-include(api_get_path(LIBRARY_PATH).'fileManage.lib.php');
+require_once api_get_path(LIBRARY_PATH).'fileManage.lib.php';
-include(api_get_path(LIBRARY_PATH).'fileUpload.lib.php');
+require_once api_get_path(LIBRARY_PATH).'fileUpload.lib.php';
-include(api_get_path(LIBRARY_PATH).'events.lib.inc.php');
+require_once api_get_path(LIBRARY_PATH).'events.lib.inc.php';
-include(api_get_path(LIBRARY_PATH).'document.lib.php');
+require_once api_get_path(LIBRARY_PATH).'document.lib.php';
-include_once(api_get_path(LIBRARY_PATH) . 'groupmanager.lib.php');
+require_once api_get_path(LIBRARY_PATH) . 'groupmanager.lib.php';
-require_once(api_get_path(LIBRARY_PATH).'formvalidator/FormValidator.class.php');
+require_once api_get_path(LIBRARY_PATH).'formvalidator/FormValidator.class.php';
 $fck_attribute['Width'] = '100%';
 $fck_attribute['Height'] = '600';
@ -149,7 +149,7 @@ $file = $_GET['file'];
 //echo('file: '.$file.'<br>');
 $doc=basename($file);
 //echo('doc: '.$doc.'<br>');
-$dir=$_GET['curdirpath'];
+$dir=Security::remove_XSS($_GET['curdirpath']);
 //echo('dir: '.$dir.'<br>');
 $file_name = $doc;
 //echo('file_name: '.$file_name.'<br>');
@ -233,8 +233,8 @@ if(!empty($_SESSION['_gid']))
 	$group_document = true;
 	$noPHP_SELF=true;
 }
-
+$my_cur_dir_path=Security::remove_XSS($_GET['curdirpath']);
-$interbreadcrumb[]=array("url"=>"./document.php?curdirpath=".urlencode($_GET['curdirpath']).$req_gid, "name"=> get_lang('Documents'));
+$interbreadcrumb[]=array("url"=>"./document.php?curdirpath=".urlencode($my_cur_dir_path).$req_gid, "name"=> get_lang('Documents'));
 $is_allowedToEdit = is_allowed_to_edit() || $_SESSION['group_member_with_upload_rights'];
@ -631,8 +631,9 @@ $owner_id = Database::result($rs,0,'insert_user_id');
 if ($owner_id == $_user['user_id'] || api_is_platform_admin() || api_is_allowed_to_edit() || GroupManager :: is_user_in_group($_user['user_id'],$_SESSION['_gid'] ))
 {  
-	
+	$get_cur_path=Security::remove_XSS($_GET['curdirpath']);
-	$action =  api_get_self().'?sourceFile='.urlencode($file_name).'&curdirpath='.urlencode($_GET['curdirpath']).'&file='.urlencode($_GET['file']).'&doc='.urlencode($doc);
+	$get_file=Security::remove_XSS($_GET['file']);
 	$action =  api_get_self().'?sourceFile='.urlencode($file_name).'&curdirpath='.urlencode($get_cur_path).'&file='.urlencode($get_file).'&doc='.urlencode($doc);
 	$form = new FormValidator('formEdit','post',$action);
 	// form title
@ -699,7 +700,7 @@ if ($owner_id == $_user['user_id'] || api_is_platform_admin() || api_is_allowed_
 	$defaults['filename'] = $filename;
 	$defaults['extension'] = $extension;
-	$defaults['file_path'] = $_GET['file'];
+	$defaults['file_path'] = Security::remove_XSS($_GET['file']);
 	$defaults['commentPath'] = $file;
 	$defaults['renameTo'] = $file_name;
 	$defaults['newComment'] = $oldComment;
--- a/main/document/footerpage.php
+++ b/main/document/footerpage.php
@ -4,7 +4,7 @@
 *	@package dokeos.document
 ==============================================================================
 */
-include('../inc/global.inc.php');
+require_once '../inc/global.inc.php';
 ?>
 <html>
--- a/main/document/headerpage.php
+++ b/main/document/headerpage.php
@ -8,28 +8,27 @@
 $language_file = 'document';
-	include('../inc/global.inc.php');
+require_once '../inc/global.inc.php';
-	$noPHP_SELF=true;
+$noPHP_SELF=true;
-	$header_file= Security::remove_XSS($_GET['file']);	
+$header_file= Security::remove_XSS($_GET['file']);	
-	$path_array=explode('/',str_replace('\\','/',$header_file));
+$path_array=explode('/',str_replace('\\','/',$header_file));
-	$path_array = array_map('urldecode',$path_array);
+$path_array = array_map('urldecode',$path_array);
-	$header_file=implode('/',$path_array);
+$header_file=implode('/',$path_array);
-	$nameTools = $header_file;
+$nameTools = $header_file;
-	if(isset($_SESSION['_gid']) && $_SESSION['_gid']!='')
+if(isset($_SESSION['_gid']) && $_SESSION['_gid']!='') {
-	{
+	$req_gid = '&amp;gidReq='.$_SESSION['_gid'];
-		$req_gid = '&amp;gidReq='.$_SESSION['_gid'];
+	$interbreadcrumb[]= array ("url"=>"../group/group_space.php?gidReq=".$_SESSION['_gid'], "name"=> get_lang('GroupSpace'));
-		$interbreadcrumb[]= array ("url"=>"../group/group_space.php?gidReq=".$_SESSION['_gid'], "name"=> get_lang('GroupSpace'));
+}
 	}
-	$interbreadcrumb[]= array ("url"=>"./document.php?curdirpath=".dirname($header_file).$req_gid, "name"=> $langDocuments);
+$interbreadcrumb[]= array ("url"=>"./document.php?curdirpath=".dirname($header_file).$req_gid, "name"=> $langDocuments);
-	$interbreadcrumb[]= array ("url"=>"showinframes.php?file=".$header_file, "name"=>$header_file);
+$interbreadcrumb[]= array ("url"=>"showinframes.php?file=".$header_file, "name"=>$header_file);
-	Display::display_header(null,"Doc");
+Display::display_header(null,"Doc");
-	echo "<div align=\"center\">";
+echo "<div align=\"center\">";
-	echo "<a href='".api_get_path('WEB_COURSE_PATH').$_course['path'].'/document'.$header_file."?".api_get_cidreq()."' target='blank'>".$lang_cut_paste_link."</a></div>";
+echo "<a href='".api_get_path('WEB_COURSE_PATH').$_course['path'].'/document'.$header_file."?".api_get_cidreq()."' target='blank'>".$lang_cut_paste_link."</a></div>";
 ?>
--- a/main/document/quota.php
+++ b/main/document/quota.php
@ -1,4 +1,4 @@
-<?php // $Id: quota.php 20420 2009-05-08 20:11:57Z herodoto $
+<?php // $Id: quota.php 21106 2009-05-30 16:25:16Z iflorespaz $
 /*
 ==============================================================================
 	Dokeos - elearning and course management software
@ -34,11 +34,11 @@
 $language_file = 'document';
 // including the global dokeos file
-include("../inc/global.inc.php"); 
+require_once "../inc/global.inc.php"; 
 // including additional libraries
-include_once(api_get_path(LIBRARY_PATH) . 'fileUpload.lib.php');
+require_once api_get_path(LIBRARY_PATH) . 'fileUpload.lib.php';
-include_once(api_get_path(LIBRARY_PATH) . 'document.lib.php');
+require_once api_get_path(LIBRARY_PATH) . 'document.lib.php';
 // some constants and variables 
 $courseDir   = $_course['path']."/document";
--- a/main/document/showinframes.php
+++ b/main/document/showinframes.php
@ -1,4 +1,4 @@
-<?php // $Id: showinframes.php 17403 2008-12-20 15:27:21Z herodoto $ 
+<?php // $Id: showinframes.php 21106 2009-05-30 16:25:16Z iflorespaz $ 
 /*
 ============================================================================== 
 	Dokeos - elearning and course management software
@ -53,14 +53,14 @@
 ============================================================================== 
 */ 
 $language_file[] = 'document';
-include('../inc/global.inc.php');
+require_once '../inc/global.inc.php';
 if (!empty($_GET['nopages']))
 {
 	$nopages=Security::remove_XSS($_GET['nopages']);
 	if ($nopages==1)
 	{		
-		require_once(api_get_path(INCLUDE_PATH) . 'reduced_header.inc.php');
+		require_once api_get_path(INCLUDE_PATH) . 'reduced_header.inc.php';
 		Display::display_error_message(get_lang('FileNotFound'));
 	}
 	exit();	
@ -84,7 +84,7 @@ header('Last-Modified: Wed, 01 Jan 2100 00:00:00 GMT');
 header('Cache-Control: no-cache, must-revalidate');
 header('Pragma: no-cache');
-$browser_display_title = "Dokeos Documents - " . $_GET['cidReq'] . " - " . $file;
+$browser_display_title = "Dokeos Documents - " . Security::remove_XSS($_GET['cidReq']) . " - " . $file;
 //only admins get to see the "no frames" link in pageheader.php, so students get a header that's not so high
 $frameheight = 135;
--- a/main/document/upload.php
+++ b/main/document/upload.php
@ -1,4 +1,4 @@
-<?php // $Id: upload.php 20798 2009-05-18 18:13:25Z cvargas1 $
+<?php // $Id: upload.php 21106 2009-05-30 16:25:16Z iflorespaz $
 /*
 ==============================================================================
 	Dokeos - elearning and course management software
@ -59,15 +59,15 @@
 $language_file = 'document';
 // including the global Dokeos file
-include("../inc/global.inc.php");
+require_once "../inc/global.inc.php";
 // including additional libraries
-include_once(api_get_path(LIBRARY_PATH) . 'fileUpload.lib.php');
+require_once api_get_path(LIBRARY_PATH) . 'fileUpload.lib.php';
-include_once(api_get_path(LIBRARY_PATH) . 'events.lib.inc.php');
+require_once api_get_path(LIBRARY_PATH) . 'events.lib.inc.php';
-include_once(api_get_path(LIBRARY_PATH) . 'document.lib.php');
+require_once api_get_path(LIBRARY_PATH) . 'document.lib.php';
-require_once(api_get_path(LIBRARY_PATH) . 'specific_fields_manager.lib.php');
+require_once api_get_path(LIBRARY_PATH) . 'specific_fields_manager.lib.php';
-require_once (api_get_path(LIBRARY_PATH).'formvalidator/FormValidator.class.php');
+require_once api_get_path(LIBRARY_PATH).'formvalidator/FormValidator.class.php';
-include('document.inc.php');
+require_once 'document.inc.php';
 // adding extra javascript to the form
 $htmlHeadXtra[] =
@ -324,8 +324,8 @@ if(isset($_FILES['user_upload']))
            $courseid = api_get_course_id();
            isset($_POST['language'])? $lang=Database::escape_string($_POST['language']): $lang = 'english';
-            require_once(api_get_path(LIBRARY_PATH).'search/DokeosIndexer.class.php');
+            require_once api_get_path(LIBRARY_PATH).'search/DokeosIndexer.class.php';
-            require_once(api_get_path(LIBRARY_PATH).'search/IndexableChunk.class.php');
+            require_once api_get_path(LIBRARY_PATH).'search/IndexableChunk.class.php';
            $ic_slide = new IndexableChunk();
            $ic_slide->addValue("title", $file_title);